189 lines
6.7 KiB
TeX
189 lines
6.7 KiB
TeX
\documentclass[11pt,a4paper]{scrartcl}
|
|
\usepackage{algorithm}
|
|
\usepackage{algpseudocode}
|
|
\usepackage[utf8]{inputenc}
|
|
\usepackage[margin=2.25cm]{geometry}
|
|
\usepackage{hyperref}
|
|
\usepackage{listings}
|
|
\usepackage{xcolor}
|
|
\usepackage{lmodern}
|
|
\usepackage{booktabs}
|
|
\usepackage{multirow}
|
|
\usepackage{graphicx}
|
|
\usepackage{float}
|
|
\usepackage{tikz}
|
|
\usepackage{listings}
|
|
\usepackage{pgfplots}
|
|
\pgfplotsset{compat=1.18}
|
|
\usepackage{subcaption}
|
|
\setlength{\parindent}{0cm}
|
|
\setlength{\parskip}{0.3em}
|
|
\hypersetup{pdfborder={0 0 0}}
|
|
%\usepackage[nomessages]{fp} no easter eggs this time
|
|
\usepackage{amsmath}
|
|
\DeclareMathOperator*{\argmax}{arg\,max}
|
|
\DeclareMathOperator*{\argmin}{arg\,min}
|
|
\usepackage{minted}
|
|
|
|
\definecolor{codegreen}{rgb}{0,0.6,0}
|
|
\definecolor{codegray}{rgb}{0.5,0.5,0.5}
|
|
\definecolor{codepurple}{rgb}{0.58,0,0.82}
|
|
\definecolor{backcolour}{rgb}{0.95,0.95,0.92}
|
|
|
|
\lstdefinestyle{mystyle}{
|
|
backgroundcolor=\color{backcolour},
|
|
commentstyle=\color{codegreen},
|
|
keywordstyle=\color{magenta},
|
|
keywordstyle=[2]{\color{olive}},
|
|
numberstyle=\tiny\color{codegray},
|
|
stringstyle=\color{codepurple},
|
|
basicstyle=\ttfamily\footnotesize,
|
|
breakatwhitespace=false,
|
|
breaklines=true,
|
|
captionpos=b,
|
|
keepspaces=true,
|
|
numbers=left,
|
|
numbersep=5pt,
|
|
showspaces=false,
|
|
showstringspaces=false,
|
|
showtabs=false,
|
|
tabsize=2,
|
|
aboveskip=0.8em,
|
|
belowcaptionskip=0.8em
|
|
}
|
|
\lstset{style=mystyle}
|
|
|
|
\geometry{left=2cm,right=2cm,top=2cm,bottom=3cm}
|
|
\title{
|
|
\vspace{-5ex}
|
|
Assignment 1 -- Software Analysis \\\vspace{0.5cm}
|
|
\Large Static Analysis with Infer
|
|
\vspace{-1ex}
|
|
}
|
|
\author{Claudio Maggioni}
|
|
\date{\vspace{-3ex}}
|
|
|
|
\begin{document}
|
|
\maketitle
|
|
|
|
\section{Project selection}
|
|
Given that this assignment draws parallels with the class of Software Design and
|
|
Modelling of last semester, specifically regarding static analyzers, I choose to
|
|
analyze the same project I analyzed in the past with PMD and SonarQube
|
|
Infer\footnote{\url{https://fbinfer.com/}} to make
|
|
for an interesting comparison between static analysis paradigms.
|
|
|
|
The project I analyze is therefore
|
|
\href{https://github.com/apache/commons-lang}{\textbf{apache/commons-lang}}.
|
|
|
|
\subsection{The Apache Commons Lang Project}
|
|
The Apache Commons family of libraries is an Apache Software
|
|
Foundation\footnote{\url{https://apache.org/}} sponsored collection of Java
|
|
libraries designed to complement the standard libraries of Java. The Apache
|
|
Commons Lang project focuses on classes that would have fitted in the
|
|
\textit{java.lang} package if they were included with Java.
|
|
|
|
All the source and test classes are contained within in the package
|
|
\textit{org.apache.commons.lang3} or in a sub-package of that package. For the
|
|
sake of brevity, this prefix is omitted from now on when mentioning packages and
|
|
classes in the project.
|
|
|
|
I choose to analyze version 3.12.0 of the library (i.e.\ the code under the
|
|
\textit{git} tag \textit{rel/commons-lang-3.12.0}) because it is the same
|
|
version analyzed during the SDM class.
|
|
|
|
To verify that the project satisfies the 5000 lines of code requirement, I run
|
|
the \textit{cloc} tool. Results are shown in table \ref{tab:cloc}. Given the
|
|
project has more than 118,000 lines of code, this requirement is satisfied.
|
|
|
|
\begin{table}[ht]
|
|
\centering
|
|
\begin{tabular}{lrrrr}
|
|
\toprule
|
|
Language & Files & Blank & Comment & Code \\
|
|
\midrule
|
|
Java & 409 & 15,790 & 60,363 & 86,056 \\
|
|
HTML & 22 & 1,015 & 100 & 13,028 \\
|
|
Text & 30 & 1,858 & 0 & 12,415 \\
|
|
XML & 38 & 434 & 539 & 4,819 \\
|
|
Maven & 1 & 31 & 37 & 940 \\
|
|
JavaScript & 5 & 21 & 78 & 698 \\
|
|
Markdown & 3 & 38 & 0 & 202 \\
|
|
CSS & 4 & 36 & 66 & 140 \\
|
|
Velocity Template Language & 1 & 23 & 31 & 90 \\
|
|
Groovy & 1 & 12 & 22 & 81 \\
|
|
YAML & 3 & 12 & 42 & 55 \\
|
|
Bourne Shell & 1 & 0 & 2 & 2 \\
|
|
\midrule
|
|
Total & 518 & 19,270 & 61,280 & 118,526 \\
|
|
\bottomrule
|
|
\end{tabular}
|
|
\caption{Output of the \textit{cloc} tool for the Apache Commons Lang project at
|
|
tag \textit{rel/commons-lang-3.12.0} (before fixes are applied).}
|
|
\label{tab:cloc}
|
|
\end{table}
|
|
|
|
\section{Running the Infer tool}
|
|
|
|
The relevant source code to analyze has been copied to the directory
|
|
\textit{before} in the assignment repository
|
|
|
|
\begin{center}
|
|
\href{https://gitlab.com/usi-si-teaching/msde/2022-2023/software-analysis/maggioni/assignment-2}{\textit{usi-si-teaching/msde/2022-2023/software-analysis/maggioni/assignment-2}}
|
|
\end{center}
|
|
|
|
on \textit{gitlab.com}. The script \textit{docker-infer.sh} can be ran to
|
|
automatically run the Infer tool using default options through the course
|
|
tools docker image \textit{bugcounting/satools:y23}. The analysis outputs
|
|
are located in \textit{before/infer-out/report.txt}.
|
|
|
|
\section{Results}
|
|
|
|
Table \ref{tab:infer} shows the results of the analysis performed by Infer
|
|
providing comments on true and false positives and the actions taken for each
|
|
result.
|
|
|
|
In total
|
|
|
|
\begin{table}[]
|
|
\small
|
|
\begin{tabular}{@{}llp{1.2cm}p{0.8cm}p{6cm}@{}}
|
|
\toprule
|
|
\textbf{File} & \textbf{Line} & \textbf{Kind} & \textbf{True Pos.} &
|
|
\textbf{Comment} \\ \midrule
|
|
AnnotationUtils.java & 72 & Null & Yes & -- \\
|
|
reflect/MethodUtils.java & 486 & Null & Yes & -- \\
|
|
reflect/FieldUtils.java & 126 & Null & Yes & -- \\
|
|
concurrent/MultiBackgroundInitializer.java & 160 & Thread Safety & Yes & -- \\
|
|
\midrule
|
|
builder/ToStringBuilder.java & 223 & Null & ?? & \multirow{2}{6cm}{??} \\
|
|
builder/ReflectionToStringBuilder.java & 131 & Null & No & \\
|
|
\midrule
|
|
time/DurationUtils.java & 142 & Null & No & The method which may return a null
|
|
value returns a non-null value if its parameter is non-null, and a
|
|
non-null parameter is given \\
|
|
\midrule
|
|
CharSetUtils.java & 181 & Null & No & According to \textit{java.lang} documentation, the
|
|
method always returns a non-null value \\
|
|
\midrule
|
|
reflect/FieldUtils.java & 341 & Null & No &
|
|
\multirow{4}{6cm}{a utility method is used to guard the dereference reported
|
|
with an exception throw} \\
|
|
reflect/FieldUtils.java & 385 & Null & No & \\
|
|
reflect/FieldUtils.java & 599 & Null & No & \\
|
|
reflect/FieldUtils.java & 644 & Null & No & \\
|
|
\midrule
|
|
reflect/MethodUtils.java & 987 & Null & No & The method which may return a null
|
|
value returns a non-null value if its parameter is non-null, and a
|
|
non-null parameter is always given according to the \textit{java.lang}
|
|
documentation for the inner nested method \\ \bottomrule
|
|
\end{tabular}
|
|
\caption{Results of the Infer static analysis tool execution with default
|
|
options. \textit{True Pos.} denotes whether a result is a true positive,
|
|
while \textit{Kind} denotes with \textit{Null} and \textit{Thread Safety}
|
|
respectively null dereference issues and thread safety violations.}
|
|
\label{tab:infer}
|
|
\end{table}
|
|
|
|
\end{document}
|
|
|